redline | ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74

Analysis

max time kernel
68s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe
Size

695KB
MD5

399dac108b9fd8da34f8579cd6521bb9
SHA1

6b5bfda81085869f3fa761691abe4dded2100209
SHA256

ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74
SHA512

8573cab7778d498eb08c03db8b79c5ced4ee27e713ab6efc2799f4500f323dda027fdfe78f97fa0593e17d71e39b59c49ffa5b54c7c90db062dd55e8f829dc49
SSDEEP

12288:kMrvy90V5ibYrqBJpolQkkjRHkcvDtEaSf7MRNZDA1B1/t1zq5MJmHHmxsHheTmI:TyvcGsPWRE0xyMpAxt1qWQGxo0iI

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1540.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1540.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4416-177-0x0000000002400000-0x0000000002446000-memory.dmp	family_redline
behavioral1/memory/4416-178-0x00000000025A0000-0x00000000025E4000-memory.dmp	family_redline
behavioral1/memory/4416-179-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-180-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-182-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-184-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-186-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-188-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-190-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-198-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-194-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-200-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-202-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-204-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-206-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-208-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-210-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-212-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-214-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4416-216-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2272	un539911.exe
2456	pro1540.exe
4416	qu2680.exe
1376	si613475.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1540.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1540.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un539911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un539911.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2456	pro1540.exe
2456	pro1540.exe
4416	qu2680.exe
4416	qu2680.exe
1376	si613475.exe
1376	si613475.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	pro1540.exe
Token: SeDebugPrivilege	4416	qu2680.exe
Token: SeDebugPrivilege	1376	si613475.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2272	1560	ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe	66
PID 1560 wrote to memory of 2272	1560	ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe	66
PID 1560 wrote to memory of 2272	1560	ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe	66
PID 2272 wrote to memory of 2456	2272	un539911.exe	67
PID 2272 wrote to memory of 2456	2272	un539911.exe	67
PID 2272 wrote to memory of 2456	2272	un539911.exe	67
PID 2272 wrote to memory of 4416	2272	un539911.exe	68
PID 2272 wrote to memory of 4416	2272	un539911.exe	68
PID 2272 wrote to memory of 4416	2272	un539911.exe	68
PID 1560 wrote to memory of 1376	1560	ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe	70
PID 1560 wrote to memory of 1376	1560	ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe	70
PID 1560 wrote to memory of 1376	1560	ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe	70

C:\Users\Admin\AppData\Local\Temp\ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe
"C:\Users\Admin\AppData\Local\Temp\ff5bb9c77ce1783a00aa8908e7fe12aba9a085d60d4294685520234952646c74.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un539911.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un539911.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1540.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1540.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2680.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2680.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si613475.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si613475.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si613475.exe

Filesize
175KB

MD5
b3f1c8e101e88a2b0d78bc3eace6a967

SHA1
13275e396b3e024c9ea8c29ed6687ddaf744738f

SHA256
4ffb07fa6fc4b9d15e60a3fed1d68480a9c8e298abc92ddc009bd205f6d8e4a4

SHA512
6c0ebbb8ab80908a9362473860d0cdd4154d0b719fd9a1f93e64c9d123b4c8b3cd203f9a3d0fa71cddef10bc24b480de472400add20af9cd37e680ae677a0b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si613475.exe

Filesize
175KB

MD5
b3f1c8e101e88a2b0d78bc3eace6a967

SHA1
13275e396b3e024c9ea8c29ed6687ddaf744738f

SHA256
4ffb07fa6fc4b9d15e60a3fed1d68480a9c8e298abc92ddc009bd205f6d8e4a4

SHA512
6c0ebbb8ab80908a9362473860d0cdd4154d0b719fd9a1f93e64c9d123b4c8b3cd203f9a3d0fa71cddef10bc24b480de472400add20af9cd37e680ae677a0b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un539911.exe

Filesize
553KB

MD5
ab0a44c458a1f9165032f1196ad185ec

SHA1
009cf992ef5c71c99e14a14ba78077676fa37148

SHA256
ad4d9346103a9ed380792c3463aeab8d9ed7c49c269e71a0769ce06247f5267a

SHA512
c6150531ca22a756fb85baa554743993e67b49cc03f0fe726325319e268e893b8d44819cf73193f745f82aed8529a6a4c066b222b0c02c742e7c3dda80738406

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un539911.exe

Filesize
553KB

MD5
ab0a44c458a1f9165032f1196ad185ec

SHA1
009cf992ef5c71c99e14a14ba78077676fa37148

SHA256
ad4d9346103a9ed380792c3463aeab8d9ed7c49c269e71a0769ce06247f5267a

SHA512
c6150531ca22a756fb85baa554743993e67b49cc03f0fe726325319e268e893b8d44819cf73193f745f82aed8529a6a4c066b222b0c02c742e7c3dda80738406

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1540.exe

Filesize
308KB

MD5
602052a807f92a887a1d1dad31672d9f

SHA1
0877ab1ac2365f8f8bf6ff3d68757299ee4252f3

SHA256
8b005cc985745bc13a9d26198bfec30bd685948e2bf2dbba10cae4a428c9c07c

SHA512
f6feefd0fba495124bdc9ee4bea10fb6db2daa58711a1f0534ddf99a0fe7982c84fa8fac2bc904858e81f46b4f736bdaace93bf4c8d87443a1e5efe11c5ddf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1540.exe

Filesize
308KB

MD5
602052a807f92a887a1d1dad31672d9f

SHA1
0877ab1ac2365f8f8bf6ff3d68757299ee4252f3

SHA256
8b005cc985745bc13a9d26198bfec30bd685948e2bf2dbba10cae4a428c9c07c

SHA512
f6feefd0fba495124bdc9ee4bea10fb6db2daa58711a1f0534ddf99a0fe7982c84fa8fac2bc904858e81f46b4f736bdaace93bf4c8d87443a1e5efe11c5ddf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2680.exe

Filesize
366KB

MD5
1c5e6d86c501548f9b73433c672e7861

SHA1
d1f3ba5194d3aa70239ed7b32ffa5b1680d8edfd

SHA256
a325b93ffad1072157194287e2d290314bf450f1b38e8323517307a27d047a62

SHA512
3b5dd69ecfd5446585e1a11f0236e693bcd2ea366315e5150fa98dfdb18fa61aa88acf2adc4e32da9ba1484b633a04c74c5c638275c6d4bf7ee85660a3fa51b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2680.exe

Filesize
366KB

MD5
1c5e6d86c501548f9b73433c672e7861

SHA1
d1f3ba5194d3aa70239ed7b32ffa5b1680d8edfd

SHA256
a325b93ffad1072157194287e2d290314bf450f1b38e8323517307a27d047a62

SHA512
3b5dd69ecfd5446585e1a11f0236e693bcd2ea366315e5150fa98dfdb18fa61aa88acf2adc4e32da9ba1484b633a04c74c5c638275c6d4bf7ee85660a3fa51b2

Download Submit
memory/1376-1111-0x0000000000C10000-0x0000000000C42000-memory.dmp

Filesize
200KB

Download
memory/1376-1112-0x0000000003040000-0x000000000308B000-memory.dmp

Filesize
300KB

Download
memory/1376-1113-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2456-144-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-156-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-140-0x0000000004C30000-0x0000000004C48000-memory.dmp

Filesize
96KB

Download
memory/2456-142-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-141-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-136-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/2456-148-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-146-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-150-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-152-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-154-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-139-0x0000000004D60000-0x000000000525E000-memory.dmp

Filesize
5.0MB

Download
memory/2456-158-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-160-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-162-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-164-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-168-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2456-169-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/2456-170-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2456-172-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2456-138-0x0000000002210000-0x000000000222A000-memory.dmp

Filesize
104KB

Download
memory/2456-137-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4416-182-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-212-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-179-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-184-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-186-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-188-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-190-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-191-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/4416-193-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4416-195-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4416-197-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4416-198-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-194-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-200-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-202-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-204-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-206-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-208-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-210-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-180-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-214-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-216-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4416-1089-0x0000000005350000-0x0000000005956000-memory.dmp

Filesize
6.0MB

Download
memory/4416-1090-0x0000000005960000-0x0000000005A6A000-memory.dmp

Filesize
1.0MB

Download
memory/4416-1091-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4416-1092-0x0000000004DF0000-0x0000000004E2E000-memory.dmp

Filesize
248KB

Download
memory/4416-1093-0x0000000005B70000-0x0000000005BBB000-memory.dmp

Filesize
300KB

Download
memory/4416-1094-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4416-1096-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4416-1097-0x00000000062A0000-0x0000000006332000-memory.dmp

Filesize
584KB

Download
memory/4416-1098-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4416-1099-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4416-1100-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4416-1101-0x00000000065F0000-0x00000000067B2000-memory.dmp

Filesize
1.8MB

Download
memory/4416-1102-0x00000000067C0000-0x0000000006CEC000-memory.dmp

Filesize
5.2MB

Download
memory/4416-178-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/4416-177-0x0000000002400000-0x0000000002446000-memory.dmp

Filesize
280KB

Download
memory/4416-1103-0x0000000006F60000-0x0000000006FD6000-memory.dmp

Filesize
472KB

Download
memory/4416-1104-0x0000000006FE0000-0x0000000007030000-memory.dmp

Filesize
320KB

Download
memory/4416-1105-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download